search cancel

Password Services and Active Directory Global Catalog support Trigger unexpected behavior


Article ID: 42177


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



Password Services and Active Directory Global Catalog support


When a disabled AD user tries to authenticate with the out-of-box HTML form based authentication, SM redirects user to the smpwservices page. This behavior was not expected because there is no password policy associated with the directory object used for authentication at the SMPS. 

Expected behavior:
SMPS should reject authentication for disabled AD users, but there should not be a redirect to smpwservices page.


Policy Server OS: Windows 2008 Standard SP2 , 32 bit

SMPS : Version 12, SP 3, CR5 

Webserver OS: 32 or 64bit ? Windows 2008 R2, 64 bit, SP1

Webagent: IIS agent version? SiteMinder ISAPI 6.0 WebAgent, Version 12.0 QMR03, Update HF-05, Label 427. IIS version is 7.5.7600.16385

Directory: AD Active Directory 2008.


You can configure a user directory connection that lets the Policy Server communicate with an Active Directory Global Catalog user store. 

The Policy Server user store supports the Global Catalog Support feature in Active Directory. However, features that require writing to Active Directory, such as Password Services, are not supported, because Global Catalog does not support writes to Active Directory.

The challenge you will see is  the setting "User Must Change Password at Next Login" which does not actually prevent login. In a Windows World, once you login, you should get prompted for a password change. Otherwise anyone who attempts to login with that account would be prompted AND ALLOWED to change the password and then be granted access. The successful authentication should be allowed to complete first.

Additional Information:




Component: SMAPC